Search for packages
| purl | pkg:npm/nuxt@3.12.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-jctz-ddrp-g7gf
Aliases: CVE-2025-27415 GHSA-jvhm-gjrh-3h93 |
Nuxt allows DOS via cache poisoning with payload rendering response By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. |
Affected by 1 other vulnerability. |
|
VCID-m6hz-c5kh-dycw
Aliases: CVE-2025-59414 GHSA-p6jq-8vc4-79f6 |
Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-bqdh-qhnz-93hk | Nuxt vulnerable to remote code execution via the browser when running the test locally Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. |
CVE-2024-34344
GHSA-v784-fjjh-f8r4 |
| VCID-t4v9-tuw8-tbgv | nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. |
CVE-2024-34343
GHSA-vf6r-87q4-2vjf |